Static/Conduit problem

[foxfire]

I have the PIX 515 that does not use access list. I need workstations in dmz to access a network drive on the inside. I had this working once but did not save and lost it after a reboot of the firewall. I put in:

static (inside,services) 10.0.2.227 10.0.0.153 netmask 255.255.255.0

but I can't figure out the proper conduit command to allow connections starting from the dmz to the inside. I want users on the dmz to reach the network drive(10.0.0.153) when they look for 10.0.2.227. I can reach the dmz from the inside with no problems.

Thanks

 

[themikehyde]

Foxfire,
Please let me know if you resolve this. I am attempting the same idea, but in reverse. I need to map a network drive on a web server in the DMZ from clients on the inside.

Thanks,
Mike

 

[baddos]

conduit permit ip any host xxx.xxx.xxx.xxx

The xxx's are the ip of the "inside" computer. This will allow all traffic though, if you just want say smtp or something, you would use a different syntax.

 

[foxfire]

The conduit statement from baddos did not work. To let the inside get to the DMZ, I think the statements I have that makes it work is:
nat (inside) 1 0 0
global (intface) 1 10.255.255.1-1.255.255.255.254

Hope it helps.

 

[yizhar]

HI.

Best pratice is not to allow that. Try to look for alternate solutions, for example use a script to copy contents of that drive from the internal server, to a mirror copy of the drive hosted on one of the dmz hosts.

If you must allow this, try one of the following:
static (inside,services) 10.0.2.227 10.0.0.153
conduit permit tcp host 10.0.2.227 eq ftp 10.0.2.0 255.255.255.0
and implement FTP server on the internal server 10.0.0.153 .

If FTP is not an option also, then use similar but more vulnerable approach:
static (inside,services) 10.0.2.227 10.0.0.153
conduit permit ip host 10.0.2.227 10.0.2.0 255.255.255.0

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar